Real-time policy distribution

ABSTRACT

In an example, there is disclosed a method and system for real-time policy and task distribution to endpoints over a data exchange layer. According to one embodiment, a persistent point-to-point messaging framework is used to distributed configuration policy and tasks to a distributed, disparate set of devices immediately upon policy definition. Advantageously, the data exchange layer may facilitate delivery of messages even to endpoints that sit, for example, behind a firewall or NAT.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to U.S. Provisional Application61/884,022, filed 28 Sep. 2013, entitled “Real-Time Policy Distributionto Unreachable Systems,” which is incorporated herein by reference.

FIELD OF THE DISCLOSURE

This application relates to the field of enterprise security, and moreparticularly to real-time policy distribution over a data exchangelayer.

BACKGROUND

An enterprise service bus (ESB) is a software-based network architecturethat provides a medium of data exchange over a service-orientedarchitecture. In some embodiments, ESB is a special case of aclient-server software architecture in which clients may route messagesthrough the server.

Software, binaries, executables, advertising, web pages, documents,macros, executable objects, and other data provided to users(collectively “executable objects”) may include security flaws andprivacy leaks that are subject to exploitation by malware. As usedthroughout this specification, malicious software (“malware”) mayinclude a virus, Trojan, zombie, rootkit, backdoor, worm, spyware,adware, ransomware, dialer, payload, malicious browser helper object,cookie, logger, or similar application or part of an applicationdesigned to take a potentially-unwanted action, including by way ofnon-limiting example data destruction, covert data collection, covertcommunication, browser hijacking, network proxy hijacking orredirection, covert tracking, data logging, keylogging, excessive ordeliberate barriers to removal, contact harvesting, unwanted use ofpremium services, and unauthorized self-propagation. In some cases,malware may also include legitimate software that includes inadvertentsecurity flaws that cause or enable malware behavior. “Malware behavior”is defined as any behavior that qualifies an application as malware orgrayware. Some prior art systems are configured to identify and blockmalware, for example by maintaining databases of known malware.

In addition to executable objects, computing devices may encounterstatic objects, which are not intended to change the operating state ofa computer. As a class, executable objects and static objects may bereferred to simply as “objects.” An enterprise security concern is theclassification of objects' malware status.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is best understood from the following detaileddescription when read with the accompanying FIGURES. It is emphasizedthat, in accordance with the standard practice in the industry, variousfeatures are not drawn to scale and are used for illustration purposesonly. In fact, the dimensions of the various features may be arbitrarilyincreased or reduced for clarity of discussion.

FIG. 1 is a network diagram of a context-aware network with DXLcapability according to one or more examples of the presentspecification.

FIG. 1A is an example where a domain master is a joint threatintelligence (JTI) server according to one or more examples of thepresent specification.

FIG. 1B is a network diagram of select elements and a context-awarenetwork according to one or more examples of the present specification.

FIG. 2 is a network diagram disclosing a distributed architectureaccording to one or more examples of the present specification.

FIG. 3 is a network diagram of an example data exchange layer (DXL)network operating across a traditional enterprise boundary according toone or more examples of the present specification.

FIG. 4 is a network diagram of a context-aware network according to oneor more examples of the present specification.

FIG. 5 is a block diagram of a DXL broker according to one or moreexamples of the present specification.

FIG. 6 is a block diagram of a common information model (CIM) serveraccording to one or more examples of the present specification.

FIG. 7 is a block diagram of a domain master according to one or moreexamples of the present specification.

FIG. 8 is a block diagram of a client according to one or more examplesof the present specification.

FIG. 9 is a flow diagram illustrating evaluation of an object in ahierarchical manner according to one or more examples of the presentspecification.

FIG. 10 is a flow diagram of a method performed by a client according toone or more examples of the present specification.

FIG. 10A is a flow diagram of a method performed by a JTI server inconnection with the method of FIG. 10 according to one or more exampleembodiments of the present specification.

FIG. 11 is a flow diagram of a method of a JTI server servicing areputation request according to one or more examples of the presentspecification.

FIG. 12 is a flow diagram of an enhancement to the method of FIG. 10Aaccording to one or more examples of the present specification.

FIG. 13 is a flow diagram of a method performed by a DXL masteraccording to one or more examples of the present specification.

FIG. 14 is a flow diagram of a method performed by a DXL broker inresponse to a command-level message containing a security policyconfiguration update according to one or more examples of the presentspecification.

FIG. 15 is a flow diagram of a method performed by a client responsiveto receiving a security policy update, either from a domain master or aDXL broker according to one or more examples of the presentspecification.

DETAILED DESCRIPTION OF THE EMBODIMENTS Overview

In an example, there is disclosed a method and system for real-timepolicy and task distribution to endpoints over a data exchange layer.According to one embodiment, a persistent point-to-point messagingframework is used to distribute configuration policy and tasks to adistributed, disparate set of devices immediately upon policydefinition. Advantageously, the data exchange layer may facilitatedelivery of messages even to endpoints that sit, for example, behind afirewall or NAT.

Examples of the Disclosure

The following disclosure provides many different embodiments, orexamples, for implementing different features of the present disclosure.Specific examples of components and arrangements are described below tosimplify the present disclosure. These are, of course, merely examplesand are not intended to be limiting. Further, the present disclosure mayrepeat reference numerals and/or letters in the various examples. Thisrepetition is for the purpose of simplicity and clarity and does not initself dictate a relationship between the various embodiments and/orconfigurations discussed.

Different embodiments many have different advantages, and no particularadvantage is necessarily required of any embodiment.

In an increasingly heterogeneous software ecosystem, enterprises mayface new and enhanced security challenges and malware threats. Thiscreates a situation in which real-time exchange of threat intelligencebetween otherwise autonomous network elements is desirable. Increasedsharing may improve security between devices that otherwise operate intheir own security “silos.”

The system and method of the present specification addresses suchchallenges by providing standardized data representations across datasources, and safeguarding the quality of data shared by disparatesources.

Context-aware computing (CAC) is a style of computing in whichsituational and environmental information about people, places andthings is used to anticipate immediate needs and proactively offerenriched, situation-aware, and usable functions and experiences.Context-aware computing relies on capturing data about the world as itis at the moment the system is running.

According to one or more examples of the present specification, a“context-aware network” is an adaptive system, including for example asecurity system, of interconnected services that communicate and shareinformation to make real-time, accurate decisions by individual productsand/or as a collective. According to an example, network, endpoint,database, application and other security solutions are no longer tooperate as separate “silos” but as one synchronized, real-time,context-aware and adaptive, security system.

In an example, multiple network elements are connected to one anothervia a data exchange layer (DXL), which is a type of ESB that is suitablefor exchange of security-related messages among other things. As usedherein, “network elements” include any type of client or server (e.g., avideo server, a web server, etc.), routers, switches, gateways, bridges,load-balancers, firewalls, inline service nodes, proxies, networkappliances, processors, modules, or any other suitable device,component, element, or object operable to exchange information in anetwork environment. More specifically, DXL endpoints are networkelements that interact over a DXL ESB. DXL endpoints may be distributedacross a customer network and communicate in “real-time” in a trusted,secure, and reliable fashion. This may provide increased automation andimproved security services.

In an example, DXL endpoints are deployed at strategic locations withina network to intercept ongoing business activity, inspect and interpretit, and ultimately determine whether it is authorized, meaning forexample that it is consistent with enterprise security policies. In somecases, network elements make such decisions “in-band,” momentarilysuspending the business activity, and in “machine-real-time,” atlatencies low enough to avoid a significant user-perceptible delay inthe business activity.

In some cases, network elements may have independent access to securitydata only by way of their own independent analysis and observation, andvia scheduled definition updates, which may come, for example, on aweekly basis as updated malware definitions.

Because network elements are often heterogeneous and may be deployed,particularly in a modern network, in a temporary or ad hoc fashion,real-time intelligence becomes a challenge, particularly when “in-band”decisions are necessary. Furthermore, an enterprise may procure securitysolutions in a piecemeal fashion, so that one product cannot alwaysassume the presence of another product. For example, there may not be asingle, pre-defined repository of threat intelligence for networkelements to consult, and regular malware definition updates may notinclude lately discovered threats. Representation and interpretation ofdata offer yet another challenge. Network elements may use disparate,proprietary data representations. Thus, for example, even an antivirusscanner may not be configured to share newly-discovered malwareinformation with a network-based security device. Trustworthiness ofinformation may be yet another challenge in other contexts. In otherwords, even if an antivirus scanner and network-based security deviceare configured to share security intelligence, each may not have a meansof validating intelligence received from the other.

In an example, the present specification provides a data exchange layer(DXL), which may operate on a lightweight messaging-based communicationsinfrastructure such as ESB and be configured to allow endpoints to sharecontextual data. DXL may be one element of a larger security-connectedframework, which is an adaptive system, such as a security system, ofinterconnected services that communicate and share information to makereal-time, accurate security decisions by individual security productsand/or as a collective. According to an example, network, endpoint,database, application and other security solutions need not operate asseparate ‘silos’ but as one synchronized, real-time, context-aware andadaptive security system.

In an example of a security-connected framework, a real-time,bi-directional communications fabric is provided for enabling real-timesecurity management. Specifically, certain existing messaginginfrastructures are based on one-to-many communications(publish-subscribe). The publish-subscribe capabilities may besignificantly enhanced, so that communication can be one-to-one (forexample, peer-to-peer), or bi-directional (for example, query-response).Advantageously, the framework can scale to millions of concurrentconnected clients, so that any connected client can reach any otherconnected client in real-time or near real-time regardless of thephysical location of the connected clients. To this end, the DXLabstraction layer is provided between different types of connectedclients, and acts as an intermediary communications medium.

A DXL domain master may combine and reconcile the client propertiesreceived from a plurality of sources into a single record of truthaccording to a common information model (CIM), containing a single valueor values. This may include determining that a first data source is moretrusted than a second data source, and using the data from the firstdata source, or otherwise reconciling a plurality of data into a singlerecord.

The reconciled data may be stored in a domain database, and a domainmaster may publish the client properties on the DXL. A DXL broker maythen forward the published message to DXL endpoints, which receives asingular and most accurate reconciled value. Subsequently, a client maysend a DXL request over the DXL, inquiring about the properties of a DXLclient. The DXL broker receives this request and automatically routes itto a domain master. The domain master retrieves the client propertiesfrom its domain database and sends a DXL response message, which the DXLbroker receives and forwards to the DXL client. Note that while the“publish-subscribe” transactions in this example are one-to-many,one-to-one “request-response” transactions are natively provided on thesame fabric.

Further adding to extensibility, new or better data sources may beincorporated, by integrating them with domain master 160. This may becompletely transparent to clients 120 and other DXL endpoints.

Additional features of a DXL broker may include, by way of non-limitingexample: service and location registries to lookup registered endpoints,available services, and their locations; publish/subscribe (1:N),request/response (1:1), device-to-device (1:1), and push notificationmessaging interfaces; optimized message passing between brokers;destination-aware message routing; and broker-to-broker failover.

Advantageously, domain masters need not be concerned with how each DXLendpoint treats a published message. Rather, that can be a matter ofenterprise security policy.

FIG. 1 is a network diagram of a context-aware network 100 with DXLcapability. According to this example, a plurality of clients 120connected to a DXL enterprise service bus (ESB) 130. DXL ESB 130 is anexample of a DXL fabric, and may be provided on top of an existingnetwork, such as a local area network (LAN). Client 120 may be anysuitable computing device, including by way of non-limiting example acomputer, a personal digital assistant (PDA), a laptop or electronicnotebook, a cellular telephone, an IP telephone, an iPhone™, an iPad™, aMicrosoft Surface™, an Android™ phone, a Google Nexus™, or any otherdevice, component, element, or object capable of initiating voice,audio, or data exchanges within a communication system, including asuitable interface to an end user, such as a microphone, a display, or akeyboard or other terminal equipment. In the example of FIG. 1, client120-1 is an embedded device, such as a network security sensor. Client120-2 is a virtual machine. Client 120-3 is a laptop or notebookcomputer. Client 120-4 is a desktop computer.

DXL ESB 130 may be any type of physical or virtual network connectionover which appropriate data may pass. At present, there is no fixed orglobal standard for an ESB, and the term, as used herein, is intendedbroadly to encompass any network technology or topology suitable formessage exchange. In one embodiment, message queuing telemetry transport(MQTT) messages are exchanged on port 8883. In some cases, clients 120,DXL broker 110, domain master 160, database 162, JTI server (FIG. 1A),proxy 170 (FIG. 1A), and threat intelligence service 180 (FIG. 1A), allby way of non-limiting example, may be referred to as “networkelements.”

Network elements configured to operate on or with DXL ESB 130 may bereferred to as “DXL endpoints.” These may include, in an example,clients 120, DXL broker 110, and domain master 160.

DXL broker 110 may be configured to provide DXL messaging services overDXL ESB 130, such as maintaining DXL routing tables and deliveringmessages.

DXL broker 110 provides DXL services 190, which in an example arenetwork services operable to provide DXL ESB 130 to DXL endpoints.

Domain master 160 may be configured to communicatively couple to DXLbroker 130. Domain master 160 may maintain domain data in a databasesuch as database 162. In this example, domain master 160 and database162 are shown as two distinct entities, but it should be noted that manyconfigurations are possible. For example, database 162 may reside on adisk drive local to the domain master 160, or may be separately orremotely hosted. Database 162 is disclosed by way of example, and may beany suitable data store, including a structured or relational database,distributed database, or flat file by way of non-limiting example.

By way of operative example, a client such as laptop 120-3 connects tothe LAN and receives a new IP address. At this point, several propertiesof laptop 120-3 become knowable to other network elements, including, byway of non-limiting example, IP address, information about its operatingsystem, and the logged-on user's username. For ease of reference, theseare referred to as “client properties” throughout this example. Clientproperties are embodiments of security-intelligence data, and are ofinterest to virtual machine 120-2, which has previously subscribed thesecurity-intelligence data topic with domain master 160.

Client properties may be reported to the DXL simultaneously by twodistinct sources, namely by laptop 120-3, and by network security sensor120-1. However, network security sensor 120-1 may fail to report ausername value. It may also report an OS value different from thatreported by the laptop 120-3. This may be, for example, because networksecurity sensor 120-1 is sensing data remotely, and may not be able todetermine these values as reliably as laptop 120-3 itself.

Domain master 160 is responsible for the “client system” data domain,which includes client properties. When laptop 120-3 and client 120-1publish a message containing the client properties, both messages arefirst routed to DXL broker 110. DXL broker 110 may then forward theclient properties to domain master 160.

Domain master 160 may combine and reconcile the client propertiesreceived from the two sources into a single record of truth, containinga single value for IP address, operating system, and usernamerespectively. Specifically, it may determine via its own logic andperhaps prior configuration that laptop 120-3 is trusted more for OSvalue than network security sensor 120-1. Therefore, domain master 160may ignore the “operating system” value received from network securitysensor 120-1 when it conflicts with laptop 120-3.

The reconciled client properties are persistently stored in domaindatabase 162. Domain master 160 may then publish the client propertieson DXL ESB 130. DXL broker 110 may then forward the published message tovirtual machine 120-2, which receives a singular and most accurate valuefor client properties.

Subsequently, client 120-4 may send a DXL request over DXL ESB 130,inquiring about the client properties for laptop 120-3. DXL broker 110receives this request and automatically routes it to domain master 160.Domain master 160 retrieves the client properties from domain database162 and sends a DXL response message, which DXL broker 110 receives andforwards to client 120-4. Note that while the “publish-subscribe”transactions in this example are one-to-many, the “request-response”transactions are one-to-one.

In some embodiments, DXL may be characterized by messaging that allowsloose integration or coupling of multiple network elements. Loosecoupling may reduce the assumptions each DXL endpoint must make aboutother DXL endpoints, such as the presence of certain capabilities,hardware, or software. According to one or more examples of the presentspecification, DXL is a ‘Plug-and-Play’ application programminginterface (API), and may facilitate context-aware and adaptive securityby enabling context to be shared between products.

Further according to one or more examples of the present specification,DXL is an elastic architecture with multiple deployment options and ishighly scalable. DXL may also be designed with openness in mind andenable third-party integration.

DXL ESB 130 may be based on a two-layer protocol. The “bottom” layer isa secure, reliable, low-latency data transport fabric that connectsdiverse security elements as a mesh, or in a hub-and-spokeconfiguration. The “top” layer is an extensible data exchange frameworkthat is configured to facilitate trustworthy data representation.

In an example, DXL endpoints connect to DXL ESB 130. Each DXL endpointis assigned a distinct identity, and authenticates itself to DXL ESB 130upon startup, for example via a certificate or other secure token. DXLendpoints may establish one-to-one communications via DXL ESB 130, forexample by sending a DXL message addressed to a DXL endpoint with aspecific identity. This enables DXL endpoints to communicate with eachother without having to establish a point-to-point network connection.In an example, this is analogous to a person-to-person phone call.

In another example, DXL may provide a publish-subscribe framework inwhich certain DXL endpoints “subscribe” to messages of a certain type.When a DXL endpoint “publishes” a message of that type on DXL ESB 130,all subscribers may process the message, while non-subscribers maysafely ignore it. In an example, this is analogous to a podcastsubscription service. In yet another example, DXL may provide arequest-response framework. In this case, one DXL endpoint may publish arequest over DXL ESB 130. An appropriate DXL endpoint receiving therequest may provide a response. Advantageously, the response may be usedby more than just the DXL endpoint that originally published therequest. For example, if a client 120 publishes a request for anobject's reputation, JTI server 150 may respond by publishing thereputation. Thus, other clients 120 that find instances of the objectmay benefit from the response. For example, clients 120 may maintain acomprehensive cache of reputations published on the network. If a client120 then newly encounters an object that is known on the network, client120 already has an up-to-date reputation for the object.

DXL ESB 130 may be implemented using diverse software elements,patterns, and constructs suited to the specific infrastructureconnecting the security elements. For instance, in a physical enterprisenetwork, messaging middleware consisting of multiple interconnectedmessage brokers may be deployed, where endpoints connect to the closestbroker. In a virtual network infrastructure, the fabric may leveragehypervisor provided channels.

As noted above, DXL ESB 130 may be configured to provide real-time,trusted exchange of data among otherwise-autonomous,dynamically-assembled DXL endpoints. Thus, in an example DXL ESB 130'sconceptual framework may comprise two virtual components:

-   -   a. Broad collections of security-relevant data are categorized        into “data domains.” Each data domain is a closely related        sub-collection of entities, attributes, and inter-relationships.    -   b. Domain master 160 is a data provider assigned ownership of        data for each domain. Domain master 160 acts as an intermediate        trusted data broker between first-hand sources of raw        “intelligence” data, and data consumer endpoints such as clients        120. Intelligence data may flow from data producer endpoints to        the appropriate domain master 160, and then be relayed to data        consumer endpoints such as clients 120. Note that in this        example, the concepts of “data producer” and “data consumer” are        contextual roles, and not necessarily physical devices. A client        120 may be a data producer in one context and a data consumer in        another context.

In an example, domain master 160 may establish first-hand trustrelationships with data-provider endpoints. This enables it to gauge thequality (including accuracy and reliability) of data (such as reputationdata) it receives from any particular source. When duplicate, piecemealdata is received from multiple (independent) sources, such as differentclients 120, domain master 160 may reconcile the data and resolveconflicts to derive a single best-known record of truth (such as, forexample, a reputation) for each object. This ensures that clients 120receive consistent data.

Domain master 160 may also transform data into a well-understood,standardized representation. This representation may be published on DXLESB 130, so that all clients 120 receive usable data.

Advantageously, DXL endpoints do not need to know what device originateddata, or make point-to-point connections to other DXL endpoints, evenwhen one-to-one communication is necessary. Rather, DXL client softwareor DXL extensions enable a DXL endpoint to use its own local APIs forquerying and receiving data. To increase network efficiency, DXLendpoints may cache received data locally, which data may be trusteduntil it is superseded by an authorized DXL message. For example,clients 120 may subscribe to published reputations for objects. When anobject reputation is received, either in response to a request-responsetransaction, or in a publish-subscribe model, client 120 may store thereputation in a local database. The reputation may be trusted untilsuperseded, because DXL master 160 is configured to publish a reputationupdate whenever it receives an updated reputation. Thus, frequentindividual data requests from clients 120 become bulk datasubscriptions, as published reputations are available to all clients 120that subscribe to reputations. Advantageously, this may reduce thelatency of data exchanges.

In yet another example, DXL broker 110 provides a discovery and locationservice that informs DXL endpoints of the specific domain master 160 towhich data query and subscription requests should be routed.

Advantageously, the example DXL architecture described herein isflexible. For example, individual data sources may connect anddisconnect from the network without affecting data consumers. Domainmaster 160 may simply rely on whatever data sources are available.Furthermore, the framework makes no assumptions about the physicallocation or specifically how domain master 160 or domain endpoints aredeployed or configured. So long as each network element provides validDXL messaging, traffic is routed correctly.

In the example above, DXL master 160 is a logical singleton, but itshould be noted that DXL master 160 may be implemented, for example, asa set of distributed service components, where each component serviceseither a subset of the domain, or provides a local data replica of aservice running elsewhere. Such configurations may enhance scale,performance, and reliability. This may also allow services to betransparently relocated.

Further advantageously, the DXL framework provided herein is extensible.For example, data about new entities and relationships may be providedsimply by creating new data domains. New attributes and relationshipsfor existing data domains may be provided simply by defining new messagetypes for those domains.

In an example, domain master 160 has responsibility over the domain ofmalware data. To distinguish messages from the “malware” domain, such asnetwork status and device maintenance, a namespace may be defined foreach. For example, the reputation domain may use the “MALWARE”namespace, the network status domain may use the “STATUS” namespace, andthe device maintenance domain may use the “MAINT” namespace. Thus, ifdomain master 160 is the master for the reputation domain, it knows toprocess messages within the malware namespace, and to ignore all others.This allows a designer for each domain to assign a set of messageswithout having to consult existing domains to avoid name collisions formessages.

For example, both the reputation domain and a device maintenance domainmay have use for a message such as DOWNLOAD_UPDATES. In the case of thereputation domain, this message may be an instruction to retrieveupdated malware definitions from JTI server 150. In the devicemaintenance domain, this may be an instruction to download operatingsystem updates from a vendor.

Clients 120 may be configured to exchange data from several DXL domainsand may subscribe to messages on both the reputation domain and thedevice maintenance domain. Thus, client 120-1 for example, may parse andrespond to a DXL message DOWNLOAD_UPDATES by requesting bulk reputationupdates. In one embodiment, the message requesting malware updates mayitself be a DXL message. In some cases, for example where the updatesare large and are not needed in real-time, delivery of the updates maybe completed outside of the DXL architecture to reserve a DXL forlightweight, high-speed messaging.

Client 120 may also know that it should parse and respond to MAINT:DOWNLOAD_UPDATES by contacting a vendor's servers and requestingupdates.

In the case where domain master 160 is configured as the master for thereputation domain, it may know to ignore all DXL messages that are notin the MALWARE namespace. Note, however, that a single physical devicemay be configured to act as a domain master for multiple domains, inwhich case traffic in different namespaces may be passed to differentsubroutines. In some embodiments, DXL broker 110 may be configured tosynthesize reports from a plurality of DXL network devices such asclients 120 that are given lesser privileges, such as “suggest”privileges on DXL ESB 130.

Further adding to extensibility, new or better data sources may beincorporated, by integrating them with domain master 160. This may becompletely transparent to clients 120 and other DXL endpoints.

Additional features of a DXL broker 110 may include, by way ofnon-limiting example: service and location registries to look upregistered endpoints, available services, and their locations;publish/subscribe (1:N), request/response (1:1), device-to-device (1:1),and push notification messaging interfaces; optimized message passingbetween brokers; destination-aware message routing; and broker-to-brokerfailover.

Advantageously, domain master 160 need not be concerned with how eachDXL endpoint treats a published message. Rather, that can be a matter ofenterprise security policy.

Additional DXL features for clients 120 may include, by way ofnon-limiting example: local message bus integration with an API todiscover brokers, authenticate to DXL, and send and receive cataloguedmessages.

Additional general features of context-aware network 100 may include, byway of non-limiting example: DXL broker and client provisioning andmanagement of domain master 160; policy-based authorization of endpointson DXL ESB 130; secure SSL-based communications; proxy support foroff-premises communications; and domain master appliances pre-configuredwith DXL broker functionality (thus joining domain master 160 and DXLbroker 110 into one device).

FIG. 1A is an example where domain master 160 is a joint threatintelligence (JTI) server 150, providing for example, object reputationservices on the “reputation” domain according to one or more examples ofthe present specification. JTI server 150 may communicatively couple toDXL broker 110. JTI server 150 may be a middleware appliance configuredto provide reputation services, maintain metadata about network objects(such as reputation, prevalence, and intelligence, by way ofnon-limiting example), call out to external scanners for an object'sreputation classification, and provide telemetry data to threatintelligence service 180. JTI server 150 may communicate with a globalthreat intelligence service 180 via a proxy 170, which may includeeither communication over DXL ESB 130, or over a more traditional IPnetwork.

Advantageously, JTI server 150, in connection with threat intelligenceservice 180, may provide crowd-sourced object reputations. JTI server150 may also provide administrator overrides. These may includeaggregation of administrator override policies from several enterprises,for whether an object should be run on a network and whether acertificate is considered “clean.” These may also include client-sideresults, such as an aggregate of end-user decisions of whether to allowor block an object.

In another example, JTI server 150 may track prevalence data, includingthe prevalence of an object on context-aware network 100.

In yet another example, JTI server 150 may serve as a telemetryaggregator/proxy to gather and send to threat intelligence service 180telemetry from endpoints that do not directly interact with threatintelligence service 180. JTI server 150 may also contribute filemetadata to threat intelligence service 180, such as hashes, digitalsignature data, and file attributes.

JTI server 150 may receive several such messages from different clients120, and in some cases, the messages may conflict with one another. Uponreceiving an initial report from a client 120 identifying an object asmalware, domain master 160 may publish a warning that the other clientsshould give additional scrutiny to the object, such as deep scanning orrequesting user verification before executing the object. In otherembodiments, domain master 160 may provide such information in responseto a request for an object reputation from a client 120.

If additional clients 120 identify the object as malware, then aconfidence indicator may pass a threshold. JTI server 150 may thenpublish a higher-level, such as command-level, message identifying theobject as malware. If JTI server 150 receives multiple conflictingreports from different clients, a synthesis algorithm may provide anappropriate action. For example, if one or a few clients are found to beoutliers, reporting a status different from a large majority of otherclients, the outliers may be discarded. This synthesis algorithm mayalso account for specific clients' past reputations for accuratereporting, or for a reputation assigned based on installed hardware orsoftware.

In an example where domain master 160 is a JTI server 150, this exampleillustrates the value of designating a hierarchy or other schema forassigning DXL endpoint privileges. For example, with respect todesignating an object as malware, clients 120 may have “suggest”privileges. This may mean, for example, that clients 120 may identify anobject that they believe to be malware, and may either direct a specificmessage to JTI server 150, or may publish a general message identifyingthe object as malware. Because clients have only “suggest” privileges onDXL ESB 130, other DXL endpoints that subscribe to reputation updatesmay treat the identification as less authoritative than anidentification from a DXL network element with elevated privileges suchas “assign” privileges. Privileges, and especially elevated privilegessuch as “assign” privileges, may be authenticated by a securecertificate provided as part of a DXL message.

FIG. 1B is a network diagram of select elements in a context-awarenetwork 100 according to one or more examples of the presentspecification. As seen in FIG. 1B, an additional DXL broker 110-2 may beadded to service endpoints 120-3 and 120-4. DXL broker 110-2 maycommunicate with a second domain master 160-2, which may share domaindatabase 162 with domain master 160-1.

FIG. 2 is a network diagram disclosing a distributed architectureaccording to one or more examples of the present specification. In thisexample, DXL broker 110-1 may be designated as the “hub,” while DXLbrokers 110-2, 110-3, 110-4, and 110-5 may be designated as “spokes.” Inan example, all DXL traffic that passes through a spoke will beforwarded to the hub, which will distribute the traffic to other spokes.Designation of a DXL broker 110 as the hub may be accomplished via anysuitable means, such as selecting the hub based on MAC ID, IP address,or network proximity to domain master 160.

If DXL broker 110-1 goes offline, another hub may be at leasttemporarily needed. In that case, another hub may be elected. When DXLbroker 110-1 comes back online, it may resume its duties as a hub, ormay act as a spoke, depending on network topology and designconsiderations.

In another example, spokes may form a temporary mesh network uponconnecting to DXL broker 110-1. In yet other embodiments, DXL brokers110 may be configured to operate full time in a mesh configuration.

Additional extensibility may be provided by bridging DXL ESB 130 acrossdisparate networks, enabling data to be exchanged over larger networks,including the Internet. FIG. 3 is a network diagram of an example DXLnetwork operating across a traditional enterprise boundary according toone or more examples of the present specification. In this example,first enterprise 302 includes a DXL broker 110-2 which communicativelycouples to a domain master 160 and enterprise switch master (ESM) 330.In one embodiment, domain master 160 and ESM 330 may be coupled over atraditional (non-DXL) network interface 312. Domain master 160 mayconnect to an IP network 310. IP network 310 may be any communicativeplatform operable to exchange data or information emanating fromendpoints, including by way of non-limiting example, an Internetarchitecture providing end users with the ability to electronicallyinteract, a plain old telephone system (POTS), which end users could useto perform transactions in which they may be assisted by human operatorsor in which they may manually key data into a telephone or othersuitable electronic equipment, any packet data network (PDN) offering acommunications interface or exchange between any two nodes in a system,or any local area network (LAN), metropolitan area network (MAN), widearea network (WAN), wireless local area network (WLAN), virtual privatenetwork (VPN), intranet, or any other appropriate architecture or systemthat facilitates communications in a network or telephonic environment.

Second enterprise 304 also includes a DXL broker 110-1. DXL brokers 110may communicate with each other over DXL ESB 130. In this example, DXLESB 130 is physically provided by IP Network 310, but DXL traffic may bedistinguished from other types of Internet traffic such as http andother user-centric network traffic, for example because it is providedon a different port or protocol.

DXL broker 110-1 may also be coupled, for example, to a network serviceprovider (NSP) 340, antivirus agent 350, enterprise firewall 360, andadvanced threat detection appliance (ATD) 370.

ATD 370 may be a dedicated appliance, or a general-purpose computingmachine running advanced threat detection software. In one example, ATD370 is configured to analyze objects without existing reputations and toassign those objects threat levels based on the analysis.

As this figure demonstrates, DXL ESB 130 may be used to integrateheterogeneous or otherwise unrelated network architectures, even acrossdifferent enterprises. In an example, second enterprise 304 may be athird-party JTI service provider delivering ATD services to firstenterprise 302.

FIG. 4 is a network diagram of a context-aware network 400 according toone or more examples of the present specification. In an example,context-aware network 400 is substantially similar to context-awarenetwork 100. However, in context-aware network 400 domain master 160 isa common information model (CIM) server 410.

According to one or more examples of the present specification, CIM isan open and extensible logical database schema designed to hostdifferent types of situational and environmental information. CIM mayprovide robust representation of new objects, building blocks, and datatypes. Core entities of CIM include, by way of non-limiting example,assets, identities, applications, and locations.

CIM may provide many-to-many relationships and building blocks thatdrive multiple use cases. CIM may also support advanced datavisualization. Advantageously, according to one or more examples of thepresent specification, CIM scales massively and is open and extensible,allowing different product groups and third parties to develop new dataextensions.

In an example of a CIM use case, a “location” represents a collection ofnetwork elements forming a logical location mapped into a physicallocation or a place. The location context can be used, by way ofnon-limiting example, to gather complete understanding with regards tothe true scope and size of an organization (i.e., in the form of anetwork topology map).

CIM may also maintain the global authoritative state of situational andenvironmental information by synthesizing contextual information sharedby multiple data sources over DXL ESB 130.

FIG. 5 is a block diagram of a DXL broker according to one or moreexamples of the present specification. In some embodiments, DXL broker110, DXL services 190, and JTI server 150 may be provided in a singlephysical computing device.

In an example, DXL broker 110 is controlled by a processor 510.Processor 510 may connect to other system elements via system bus 570.Those other elements may include, by way of non-limiting example, amemory 520, network interface 540, and storage 550.

Processor 510 is configured to control DXL broker 110, for example viaexecutable software or firmware instructions. A “processor” as usedherein includes any combination of hardware, software, or firmwareproviding programmable logic, including by way of non-limiting example amicroprocessor, digital signal processor, field-programmable gate array,programmable logic array, application-specific integrated circuit, orvirtual machine processor.

Memory 520 may be a relatively low-latency volatile memory in someembodiments, and may include main memory, cache, on-chip memory, L1memory, L2 memory, or similar. Note that in this embodiment, processor510 is depicted in a direct memory access arrangement with memory 520,but in other embodiments, memory 520 may communicate with processor 510via system bus 570, via some other bus, or via some other means.Furthermore, although memory 520 and storage 550 are depicted in thisexample as physically or conceptually separate devices, it should beappreciated that in some embodiments, memory 520 and storage 550 mayshare a physical device, which may or may not be divided into separatememory areas. Thus, it should be appreciated that the arrangementdisclosed here is an example only, and not limiting. Rather, it isexpressly intended that even where a memory and storage are spoken ofseparately, they may be embodied in a single physical or logical deviceunless expressly stated otherwise.

In this example, network interface 540 provides a physical and logicalinterface to DXL ESB 130, and includes any communication medium, whetheranalog, digital, or mixed-signal, that is configured to communicativelycouple client 120 to other computing devices. Network interface 540 mayinclude, by way of non-limiting example, a WiFi, Ethernet, Firewire,fiber optic, USB, serial interface, infrared, cellular network, digitalPCS network, 2G data network, 3G data network, 4G WiMAX, or 4G LTE datanetwork. In some embodiments, network interface 540 may also provide aphysical and logical interface to IP network 310.

Storage 550 is disclosed as an example of a non-volatile memory medium,which may be a species of memory 520. In some embodiments, memory 520and storage 550 may be separate devices, with memory 520 being arelatively low-latency volatile memory device, and storage 550 being arelatively high-latency non-volatile memory device. Storage 550 may alsobe another device, such as a hard drive, solid-state drive, externalstorage, redundant array of independent disks (RAID), network-attachedstorage, optical storage, tape drive, backup system, or any combinationof the foregoing. Many other configurations are also possible, and areintended to be encompassed within the broad scope of this specification.

In an example, memory 520 includes DXL broker 522 and DXL servicessoftware 526. DXL broker 522 provides DXL broker services as describedherein. DXL services software 526 may provide DXL client services or DXLbroker 110. For example, DXL broker 110 may subscribe to certain typesof messages in a client capacity.

FIG. 6 is a block diagram of a CIM server 410 according to one or moreexamples of the present specification. In an example, CIM server 410 iscontrolled by a processor 610. Processor 610 may connect to other systemelements via system bus 670. Those other elements may include, by way ofnon-limiting example, a memory 620, network interface 640, and storage650. Reference is made to corresponding elements in FIG. 5, whichcontains additional details and definitions.

Memory 620 may include CIM server software 622. CIM server software 622may be configured to provide CIM services as described herein.

Storage 650 may include a local object database 652. Object database 652may contain stored information about objects on the network, including,for example, reputations and metadata.

FIG. 7 is a block diagram of a domain master 160 according to one ormore examples of the present specification. In an example, domain master160 is controlled by a processor 710. Processor 710 may connect to othersystem elements via system bus 770. Those other elements may include, byway of non-limiting example, a memory 720, network interface 740, andstorage 750. Reference is made to corresponding elements in FIG. 5,which contains additional details and definitions.

In an example, memory 720 includes domain master software 722 and DXLextension 724. Domain master software 722 may be configured to providedomain master services as described herein. DXL extensions 724 mayprovide server extensions that allow domain master 160 to operate on DXLESB 130. In some embodiments, DXL extension 724 may include instructionsthat permit domain master 160 to act as a DXL client in some situations.

FIG. 8 is a block diagram of a client 120 according to one or moreexamples of the present specification. Client 120 is controlled by aprocessor 810, which is communicatively coupled to a memory element 820.In an example, processor 810 is communicatively coupled to other systemelements via bus 870. Those elements may include, by way of non-limitingexample, a network interface 840, storage 850, which in some cases maybe a species of memory element 820, and a user interface 860. It isexpressly intended that any of the above elements can be realized inhardware, software, firmware, or any combination thereof.

In some embodiments, a user interface 860 may be provided to aid a userin interacting with client 120. A “user interface” includes anycombination of hardware, software, and firmware configured to enable auser to interact with client 120, whether or not in real-time. In theexample, user interface 360 may include, by way of non-limiting example,a keyboard (not shown), mouse (not shown), display monitor 842, speaker846, microphone 844, touch-sensitive display, which may act as acombined input/output device, and which may be a species of display 842,and a camera 848. User interface 860 may include software services suchas a graphical user interface, including real-time dialog boxes thatsolicit input or confirmation from a user.

In an example, memory 820 has stored therein executable instructionsoperable to provide software services, which may be contained in severaldistinct modules. A DXL client 826 may provide software services forinteracting with DXL ESB 130, and may include, for example, certificatesauthenticating client 120 on DXL ESB 130, subroutines for publishingmessages, and subroutines for parsing subscribed incoming messages. CIMclient 822 may provide CIM services as described with more particularityin relation to FIG. 4. CIM client 822 may also maintain a comprehensivecatalog of stored objects 852, including for example a comprehensivecatalog of installed applications. JTI client 824 may provide JTI clientservices, such as local reputation management and interactions with JTIserver 150. Client 120 may also have a separate antimalware agent 828,which may provide antivirus and other antimalware services. In somecases, antimalware agent 828 is integrated with JTI client 824.

FIG. 9 is a flow diagram illustrating evaluation of an object in ahierarchical manner according to one or more examples of the presentspecification.

In this example, policies on the left are designated as “black,” anddeterministically block an object, while policies on the right aredesignated as “white,” and deterministically allow an object. By way ofnon-limiting example, the policies of FIG. 9 are disclosed as a fixedhierarchy. However, this is not intended to be limiting. For example, inother embodiments, policies may be weighted, or serviced in around-robin fashion. Furthermore, in embodiments where a hierarchy isused, this particular hierarchy is not required.

In block 910, an administrator, which may be either or both of a humanoperator or a device with administrative credentials, may assign a“black” override to the object, which may be identified by a hash. Inblock 912, the administrator may provide a “white” override to an objectidentified by a hash.

In block 920, an administrator may assign a black override to an objectidentified by a certificate. In block 922, an administrator may assign awhite overwrite to an object identified by a certificate.

In block 930, threat intelligence service 180 may assign a black statusbased on a certificate. In block 932, threat intelligence service 180may assign an object a white status based on a certificate.

In block 940, threat intelligence service 180 may assign an object blackstatus based on a hash. In block 942, threat intelligence service 180may assign an object white status based on a hash.

In block 950, malware definitions may identify an object as black, whilein block 952, malware definitions may identify the object as white.

In block 960, JTI rules may assume that the object is dirty. In block962, JTI rules may assume that the object is clean.

JTI client 824 may prompt an end user, via user interface 860, toconfirm executing or opening an object. If the user declines, then inblock 970 the object is blocked. If the user confirms, then in block 972the object is allowed.

In block 980, if the object has passed all the preceding filters, adecision to either block or allow the object depends on JTI policies andalgorithms. This may include requesting a reputation for the object.

FIG. 10 is a flow diagram of a method performed by a client 120according to one or more examples of the present specification. In block1010, client 120 opens a new object. This may be, for example, because auser interacts with the object, or because an automated processinteracts with the object. In block 1020, client 120 checks to see ifthe object has a cache reputation in its local reputation database. Ifthe object has an existing reputation, then in block 1030, client 120may make a decision to either block or allow the object. In someexamples, client 120 may publish the block or allowed decision over DXLESB 130. This allows other DXL network objects that have subscribed tosuch updates to receive and integrate the decision. In block 1022, ifthere is no cache reputation, then client 120 may request a reputationfrom JTI server 150. In block 1024, client 120 may receive reputationdata from JTI server 150, whereupon control passes to block 130. Asshown by the looping arrow back to 1010, this process may be repeatedfor each new object.

FIG. 10A is a flow diagram of a method performed by JTI server 150 inconnection with the method of FIG. 10 according to one or more exampleembodiments of the present specification. In block 1040, JTI server 150receives a reputation request from client 120. In block 1060, JTI server150 may query its local database to find whether the object is alreadyknown. If the object is known, then in block 1070, JTI server 150 mayupdate its local threat intelligence database. This may include, forexample, noting the circumstances of the request from client 120. Inblock 1080, JTI server 150 may return the reputation data to client 120.In block 1090, the method is complete.

Returning to block 1060, if the object is not known, then in block 1050JTI server 150 may request information from the threat intelligenceservice 180. In block 1052, JTI server 150 receives threat intelligencedata from threat intelligence service 180, and in block 1070 updates itslocal JTI database with the received intelligence. Again in block 1080,the intelligence is returned to client 120, and in block 1090 theprocess is done.

Block 1034 represents an alternate entry point into the method. At block1034, a JTI server 150 receives a published decision, for example adecision published by client 120 according to a method of FIG. 10.Depending on the network configuration, JTI server 150 may subscribe topublished block/allow decisions, and in block 1070 may use a publishdecision to update its local database. In this case, control passesdirectly from block 1080 to block 1090.

FIG. 11 is a flow diagram of a method of a JTI server 150 servicing areputation request according to one or more examples of the presentspecification. In some embodiments, the method of FIG. 11 may beperformed in connection with block 1080 of FIG. 10A. In block 1110, anadministrator may enter white or black overrides, for example asdisclosed in connection with FIG. 9. Block 1040 corresponds to block1040 of FIG. 10A, in which the JTI server 150 receives a reputationrequest from client 120. In block 1130, JTI server 150 checks to seewhether the administrator has entered an override, such as anenterprise-wide override. In particular, an override may remove thedecision of whether to allow or block the object. Instead, the overridemay deterministically allow or block the object. Thus, in block 1140,JTI server 150 returns the override to client 120. In block 1130, ifthere is no enterprise override, then in block 1150, JTI server 150returns the reputation for client 120 to act on.

FIG. 12 is a flow diagram of an enhancement to the method of FIG. 10Aaccording to one or more examples of the present specification. Blocksin FIG. 12 with numbering identical to the blocks in FIG. 10A may beidentical in function to the blocks disclosed in FIG. 10A.

New block 1210 queries whether threat intelligence is available fromthreat intelligence service 180. If threat intelligence is available,then in block 1052, JTI server 150 receives the threat intelligence aswith FIG. 10A. In block 1220, if no threat intelligence is available,then JTI server 150 may send the object to ATD 370 for analysis. Ratherthan respond directly to the request, ATD 370 may publish reputationdata for the object once it has completed its analysis. In block 1230,JTI server 150 may subscribe to published reputation data messages, andthus may receive the DXL message published by ATD 370. The remainder ofthe method may be unchanged.

Certain prior art security architectures rely on a “pull” model ofsecurity updates, such as weekly downloads of updated virus definitions.In some cases, this may introduce unacceptable latency in providingsecurity updates to clients 120 and other DXL endpoints. Advantageously,the context-aware network 100 of the present specification may providemachine-real-time security updates when new threats are identified.

FIG. 13 is a flow diagram of a method performed by a DXL master 160according to one or more examples of the present specification. Blocks1310, 1320, and 1330 represent three example “policy update driver”scenarios in which a security policy update is desirable. In block 1310,domain master 160 detects a new threat. In an example, domain master 160detects the threat by receiving updated reputation information, forexample from threat intelligence service 180. In another example, domainmaster 160 detects the threat by receiving a published notification onDXL ESB 130 identifying an object as malware. In yet another example,domain master 160 identifies the object as malware by analyzing theobject and determining that it exhibits malware behavior.

In block 1320, domain master 160 proactively identifies a policy changerequirement, such as an update to an existing security policy, or theneed for a new policy. This may be the result, for example, of networkheuristics, or of proactive analysis of network traffic.

In block 1330, an administrator may provide a change in policy, or a newpolicy.

In block 1340, domain master 160 configures a policy update responsiveto inputs. Configuring the policy update may include designating anaction to take in response to the object. The action may include, by wayof nonlimiting example, quarantine, block, delete, sandbox, denypermissions (e.g., if the object is identified as grayware), remedy,prompt, or custom actions.

In block 1350, domain master 160 may provide the updated policy to DXLbrokers 110. Providing the updated policy may include publishing acommand-level message on DXL ESB 130. In some examples, in block 1360,domain master 160 may also publish a message suitable for clients 120 toreceive the updated security policy. In some cases, clients 120 may bemanaged devices, and the published message may be a command-levelmessage. Once domain master 160 has published the message to appropriateendpoints, in block 1390 the process may be complete.

FIG. 14 is a flow diagram of a method performed by DXL broker 110, inresponse to a command-level message containing a security policyconfiguration update, according to one or more examples of the presentspecification. In block 1410, DXL broker 110 receives the policy updatefrom domain master 160. In block 1420, DXL broker 110 verifiescredentials received from domain master 160. This may include, forexample, verifying a security certificate provided with thecommand-level message. If the certificate is not verified, then noaction is taken, and in block 1490, the process is done. If thecertificate is verified, then in block 1440, DXL broker 110 may updateits local security database. In block 1450, DXL broker 110 may alsopublish a message on DXL ESB 130 notifying endpoints of the change. Notethat in some embodiments, this publication may be unnecessary, as domainmaster 160 may take responsibility for publishing the security update.Thus, in some embodiments, the security policy update itself may includeinstructions for DXL broker 110, including whether or not toadditionally publish the updated security policy. In block 1490, theprocess is done.

FIG. 15 is a flow diagram of a method performed by a client 120responsive to receiving a security policy update, either from domainmaster 160, or DXL broker 110 according to one or more exampleembodiments of the present specification. In block 1510, client 120receives the updated security policy. In block 1520, client 120 verifiesthe credentials of the device that sent the updated security policy. Inblock 1530, if the credentials are not valid, then no action is taken,and in block 1590 the method is done.

Advantageously, according to the methods disclosed herein, DXL endpointsmay maintain a state of consistent readiness in dealing with threats.This may be particularly useful in dealing with so-called “zero day”exploits, where rapid response is critical.

The foregoing outlines features of several embodiments so that thoseskilled in the art may better understand the aspects of the presentdisclosure. Those skilled in the art should appreciate that they mayreadily use the present disclosure as a basis for designing or modifyingother processes and structures for carrying out the same purposes and/orachieving the same advantages of the embodiments introduced herein.Those skilled in the art should also realize that such equivalentconstructions do not depart from the spirit and scope of the presentdisclosure, and that they may make various changes, substitutions, andalterations herein without departing from the spirit and scope of thepresent disclosure.

The particular embodiments of the present disclosure may readily includea system on chip (SOC) central processing unit (CPU) package. An SOCrepresents an integrated circuit (IC) that integrates components of acomputer or other electronic system into a single chip. It may containdigital, analog, mixed-signal, and radio frequency functions: all ofwhich may be provided on a single chip substrate. Other embodiments mayinclude a multi-chip-module (MCM), with a plurality of chips locatedwithin a single electronic package and configured to interact closelywith each other through the electronic package. In various otherembodiments, the digital signal processing functionalities may beimplemented in one or more silicon cores in Application SpecificIntegrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), andother semiconductor chips.

In example implementations, at least some portions of the processingactivities outlined herein may also be implemented in software. In someembodiments, one or more of these features may be implemented inhardware provided external to the elements of the disclosed FIGUREs, orconsolidated in any appropriate manner to achieve the intendedfunctionality. The various components may include software (orreciprocating software) that can coordinate in order to achieve theoperations as outlined herein. In still other embodiments, theseelements may include any suitable algorithms, hardware, software,components, modules, interfaces, or objects that facilitate theoperations thereof.

Additionally, some of the components associated with describedmicroprocessors may be removed, or otherwise consolidated. In a generalsense, the arrangements depicted in the FIGURES may be more logical intheir representations, whereas a physical architecture may includevarious permutations, combinations, and/or hybrids of these elements. Itis imperative to note that countless possible design configurations canbe used to achieve the operational objectives outlined herein.Accordingly, the associated infrastructure has a myriad of substitutearrangements, design choices, device possibilities, hardwareconfigurations, software implementations, equipment options, etc.

Any suitably-configured processor component can execute any type ofinstructions associated with the data to achieve the operations detailedherein. Any processor disclosed herein could transform an element or anarticle (for example, data) from one state or thing to another state orthing. In another example, some activities outlined herein may beimplemented with fixed logic or programmable logic (for example,software and/or computer instructions executed by a processor) and theelements identified herein could be some type of a programmableprocessor, programmable digital logic (for example, a field programmablegate array (FPGA), an erasable programmable read only memory (EPROM), anelectrically erasable programmable read only memory (EEPROM)), an ASICthat includes digital logic, software, code, electronic instructions,flash memory, optical disks, CD-ROMs, DVD ROMs, magnetic or opticalcards, other types of machine-readable mediums suitable for storingelectronic instructions, or any suitable combination thereof. Inoperation, processors may store information in any suitable type ofnon-transitory storage medium (for example, random access memory (RAM),read only memory (ROM), field programmable gate array (FPGA), erasableprogrammable read only memory (EPROM), electrically erasableprogrammable ROM (EEPROM), etc.), software, hardware, or in any othersuitable component, device, element, or object where appropriate andbased on particular needs. Further, the information being tracked, sent,received, or stored in a processor could be provided in any database,register, table, cache, queue, control list, or storage structure, basedon particular needs and implementations, all of which could bereferenced in any suitable timeframe. Any of the memory items discussedherein should be construed as being encompassed within the broad term‘memory.’ Similarly, any of the potential processing elements, modules,and machines described herein should be construed as being encompassedwithin the broad term ‘microprocessor’ or ‘processor.’

Computer program logic implementing all or part of the functionalitydescribed herein is embodied in various forms, including, but in no waylimited to, a source code form, a computer executable form, and variousintermediate forms (for example, forms generated by an assembler,compiler, linker, or locator). In an example, source code includes aseries of computer program instructions implemented in variousprogramming languages, such as an object code, an assembly language, ora high-level language such as OpenCL, Fortran, C, C++, JAVA, or HTML foruse with various operating systems or operating environments. The sourcecode may define and use various data structures and communicationmessages. The source code may be in a computer executable form (e.g.,via an interpreter), or the source code may be converted (e.g., via atranslator, assembler, or compiler) into a computer executable form.

In the discussions of the embodiments above, the capacitors, buffers,graphics elements, interconnect boards, clocks, DDRs, camera sensors,dividers, inductors, resistors, amplifiers, switches, digital core,transistors, and/or other components can readily be replaced,substituted, or otherwise modified in order to accommodate particularcircuitry needs. Moreover, it should be noted that the use ofcomplementary electronic devices, hardware, non-transitory software,etc. offer an equally viable option for implementing the teachings ofthe present disclosure.

In one example, any number of electrical circuits of the FIGURES may beimplemented on a board of an associated electronic device. The board canbe a general circuit board that can hold various components of theinternal electronic system of the electronic device and, further,provide connectors for other peripherals. More specifically, the boardcan provide the electrical connections by which the other components ofthe system can communicate electrically. Any suitable processors(inclusive of digital signal processors, microprocessors, supportingchipsets, etc.), memory elements, etc. can be suitably coupled to theboard based on particular configuration needs, processing demands,computer designs, etc. Other components such as external storage,additional sensors, controllers for audio/video display, and peripheraldevices may be attached to the board as plug-in cards, via cables, orintegrated into the board itself. In another example, the electricalcircuits of the FIGURES may be implemented as stand-alone modules (e.g.,a device with associated components and circuitry configured to performa specific application or function) or implemented as plug-in modulesinto application specific hardware of electronic devices.

Note that with the numerous examples provided herein, interaction may bedescribed in terms of two, three, four, or more electrical components.However, this has been done for purposes of clarity and example only. Itshould be appreciated that the system can be consolidated in anysuitable manner. Along similar design alternatives, any of theillustrated components, modules, and elements of the FIGURES may becombined in various possible configurations, all of which are clearlywithin the broad scope of this Specification. In certain cases, it maybe easier to describe one or more of the functionalities of a given setof flows by only referencing a limited number of electrical elements. Itshould be appreciated that the electrical circuits of the FIGURES andits teachings are readily scalable and can accommodate a large number ofcomponents, as well as more complicated/sophisticated arrangements andconfigurations. Accordingly, the examples provided should not limit thescope or inhibit the broad teachings of the electrical circuits aspotentially applied to a myriad of other architectures.

Numerous other changes, substitutions, variations, alterations, andmodifications may be ascertained to one skilled in the art and it isintended that the present disclosure encompass all such changes,substitutions, variations, alterations, and modifications as fallingwithin the scope of the appended claims. In order to assist the UnitedStates Patent and Trademark Office (USPTO) and, additionally, anyreaders of any patent issued on this application in interpreting theclaims appended hereto, Applicant wishes to note that the Applicant: (a)does not intend any of the appended claims to invoke paragraph six (6)of 35 U.S.C. section 112 as it exists on the date of the filing hereofunless the words “means for” or “steps for” are specifically used in theparticular claims; and (b) does not intend, by any statement in thespecification, to limit this disclosure in any way that is not otherwisereflected in the appended claims.

Example Embodiment Implementations

There is disclosed in an example 1, one or more non-transitorycomputer-readable mediums having stored thereon executable instructionsfor providing a domain master, the executable instructions operable toinstruct a processor to:

identify a policy update driver;

configure a policy update; and

publish the policy update as a data exchange layer (DXL) message.

There is disclosed in an example 2, the computer-readable medium ofexample 1, wherein the DXL message is a command-level message.

There is disclosed in an example 3, the computer-readable medium ofexample 1 or 2, wherein the DXL message is targeted to DXL endpoints.

There is disclosed in an example 4, the computer-readable medium of anyof examples 1-3, wherein the instructions operable to identify a policyupdate driver are operable to receive a malware threat message from athreat intelligence service.

There is disclosed in an example 5, the computer-readable medium of anyof examples 1-4, wherein the instructions operable to identify a policyupdate driver are operable to proactively identify a policy update need.

There is disclosed in an example 6, the computer-readable medium of anyof examples 1-5, wherein the instructions operable to identify a policyupdate driver are operable to receive a policy update from anadministrator.

There is disclosed in an example 7, the computer-readable medium of anyof examples 1-6, wherein the instructions operable to configure a policyupdate are operable to direct DXL endpoints to take an action selectedfrom the group consisting of quarantine, block, delete, sandbox, denypermissions, remedy, prompt, or custom action.

There is disclosed in an example 8, a data exchange layer (DXL) domainmaster comprising:

-   -   a processor;    -   a network interface configured to communicatively couple the        processor to a DXL enterprise service bus; and    -   a memory having stored therein executable instructions operable        to instruct the processor to:        -   identify a policy update driver;        -   configure a policy update; and        -   publish the policy update as a data exchange layer (DXL)            message.

There is disclosed in an example 9, the DXL domain master of example 8,wherein the DXL message is a command-level message.

There is disclosed in an example 10, the DXL domain master of example 8or 9, wherein the DXL message is targeted to DXL endpoints.

There is disclosed in an example 11, the DXL domain master of any ofexamples 8-10, wherein the instructions operable to identify a policyupdate driver are operable to receive a malware threat message from athreat intelligence service.

There is disclosed in an example 12, the DXL domain master of any ofexamples 8-11, wherein the instructions operable to identify a policyupdate driver are operable to proactively identify a policy update need.

There is disclosed in an example 13, the DXL domain master of any ofexamples 8-12, wherein the instructions operable to identify a policyupdate driver are operable to receive a policy update from anadministrator.

There is disclosed in an example 14, the DXL domain master of any ofexamples 8-13, wherein the instructions operable to configure a policyupdate are operable to direct DXL endpoints to take an action selectedfrom the group consisting of quarantine, block, delete, sandbox, denypermissions, remedy, prompt, or custom action.

There is disclosed in an example 15, a method of providing DXL domainmaster services, comprising:

identifying a policy update driver;

configuring a policy update; and

publishing the policy update as a data exchange layer (DXL) message.

There is disclosed in an example 16, the method of example 15, whereinthe DXL message is a command-level message.

There is disclosed in an example 17, the method of example 15 or 16,wherein the DXL message is targeted to DXL endpoints.

There is disclosed in an example 18, the method of any of examples15-17, wherein identifying a policy update driver comprises receiving amalware threat message from a threat intelligence service.

There is disclosed in an example 19, the method of any of examples15-18, wherein identifying a policy update driver comprises proactivelyidentifying a policy update need.

There is disclosed in an example 20, the method of any of examples15-19, wherein identifying a policy update driver comprises receiving apolicy update from an administrator.

There is disclosed in an example 21, the method of any of examples15-20, wherein configuring a policy update comprises directing DXLendpoints to take an action selected from the group consisting ofquarantine, block, delete, sandbox, deny permissions, remedy, prompt, orcustom action.

What is claimed is:
 1. One or more non-transitory computer-readablemediums having stored thereon executable instructions for providing adata exchange layer (DXL) broker, the executable instructions whenexecuted instruct a processor to: communicatively couple to a DXLenterprise service bus (ESB); provide an application programminginterface (API) to authenticate and register DXL endpoints with the DXLbroker; maintain a DXL routing table of registered DXL endpoints for theDXL broker; and provide real-time context-aware DXL messaging forregistered DXL endpoints, wherein providing DXL message routingcomprises providing a message queueing telemetry transport (MQTT)-basedone-to-one (1:1) request-response framework on a one-to-many (1:N, N>1)publish-subscribe fabric.
 2. The one or more non-transitorycomputer-readable mediums of claim 1, wherein the executableinstructions are further to instruct the processor to: identify a policyupdate driver; configure a policy update; and publish the policy updateas a DXL message via the DXL ESB.
 3. The one or more non-transitorycomputer-readable mediums of claim 2, wherein the DXL message is acommand-level message.
 4. The one or more non-transitorycomputer-readable mediums of claim 2, wherein the DXL message istargeted to DXL endpoints.
 5. The one or more non-transitorycomputer-readable mediums of claim 2, wherein the instructions arefurther to instruct the processor to identify a policy update driver andreceive a malware threat message from a threat intelligence service. 6.The one or more non-transitory computer-readable mediums of claim 2,wherein the instructions are further to instruct the processor toidentify a policy update driver and proactively identify a policy updateneed.
 7. The one or more non-transitory computer-readable mediums ofclaim 2, wherein the instructions are further to instruct the processorto identify a policy update driver and receive a policy update from anadministrator.
 8. The one or more non-transitory computer-readablemediums of claim 2, wherein the instructions are further to instruct theprocessor to configure a policy update and direct DXL endpoints to takean action selected from the group consisting of quarantine, block,delete, sandbox, deny permissions, remedy, prompt, or custom action. 9.A data exchange layer (DXL) broker comprising: a processor; a networkinterface; and a memory having stored therein executable instructionsconfigured to instruct the processor to: communicatively couple to a DXLenterprise service bus (ESB) via the network interface; provide anapplication programming interface (API) to authenticate and register DXLendpoints with the DXL broker; maintain a DXL routing table ofregistered DXL endpoints for the DXL broker; and provide real-timecontext-aware DXL messaging for registered DXL endpoints, whereinproviding DXL message routing comprises providing a message queueingtelemetry transport (MQTT)-based one-to-one (1:1) request-responseframework on a one-to-many (1:N, N>1) publish-subscribe fabric.
 10. TheDXL broker of claim 9, wherein the executable instructions are furtherconfigured to instruct the processor to: identify a policy updatedriver; configure a policy update; and publish the policy update as aDXL message via the DXL ESB.
 11. The DXL broker of claim 10, wherein theDXL message is a command-level message.
 12. The DXL broker of claim 10,wherein the DXL message is targeted to DXL endpoints.
 13. The DXL brokerof claim 10, wherein the instructions configured to identify a policyupdate driver are configured to receive a malware threat message from athreat intelligence service.
 14. The DXL broker of claim 10, wherein theinstructions configured to identify a policy update driver areconfigured to proactively identify a policy update need.
 15. The DXLbroker of claim 10, wherein the instructions configured to identify apolicy update driver are configured to receive a policy update from anadministrator.
 16. The DXL broker of claim 10, wherein the instructionsconfigured to configure a policy update are configured to direct DXLendpoints to take an action selected from the group consisting ofquarantine, block, delete, sandbox, deny permissions, remedy, prompt, orcustom action.
 17. A method of providing data exchange layer (DXL)broker services, comprising: communicatively coupling a computingapparatus to a DXL enterprise service bus (ESB); providing anapplication programming interface (API) to authenticate and register DXLendpoints with the DXL broker; maintaining a DXL routing table ofregistered DXL endpoints for the DXL broker; and providing real-timecontext-aware DXL messaging for registered DXL endpoints, whereinproviding DXL message routing comprises providing a message queueingtelemetry transport (MQTT)-based one-to-one (1:1) request-responseframework on a one-to-many (1:N, N>1) publish-subscribe fabric.
 18. Themethod of claim 17, further comprising: identifying a policy updatedriver; configuring a policy update; and publishing the policy update asa DXL message via the DXL ESB.
 19. The method of claim 18, wherein theDXL message is a command-level message.
 20. The method of claim 18,wherein the DXL message is targeted to DXL endpoints.
 21. The method ofclaim 18, wherein identifying a policy update driver comprises receivinga malware threat message from a threat intelligence service.
 22. Themethod of claim 18, wherein identifying a policy update driver comprisesproactively identifying a policy update need.
 23. The method of claim18, wherein identifying a policy update driver comprises receiving apolicy update from an administrator.
 24. The method of claim 18, whereinconfiguring a policy update comprises directing DXL endpoints to take anaction selected from the group consisting of quarantine, block, delete,sandbox, deny permissions, remedy, prompt, or custom action.